Are Enterprises Really Hacking the Hackers?

Wednesday, June 27, 2012

Contributed By:
Rafal Los

Everyone's been talking about the hottest topic right now which is this recent story on the AP titled "Hacked companies fight back with controversial steps".

I encourage you to read the article first, then read my analysis otherwise you may miss a few of the finer points of this discussion.

The big attention-grabbing statement is this one right across the top of the story - "Frustrated by their inability to stop sophisticated hacking attacks or use the law to punish their assailants, an increasing number of U.S. companies are taking retaliatory action."

Now, if you read that statement and don't know any better, as is the case with about 90%+ of the readers of the Associated Press who aren't information security experts, you would think that these hacked companies are actually hiring hackers to go counter-hack their hackers. This all sounds very... James Bond'ish... doesn't it?

As a colleague pointed out in confidence to me the other day, we both know security professionals who are probably doing this kind of dirty-work, which (even though I am not an attorney and wish to offer no legal advice) is likely highly illegal and what's more - difficult to accomplish without collateral damage.

Where this article goes awry is the confusion it generates - confusing "active defense" with "strike back technology" as the author puts it. Those are, for those of us who are familiar with these concepts, completely different things.

Active defense, as the article tries to explain, is understood as... well... actively defending yourself. Using technology which can confuse the attacker, mislead them to spend time on worthless parts of an application, or slow the response rate of the network or application down... that's active defense. Actively dropping packets that are suspect, or malicious, that's active defense.

Striking back, as the story quotes the people from CrowdStrike (whom seem to be driving this silly story) seem to define it, involves actually going on the offensive and 'hacking the hackers'. How and to whom does this sound like a good idea, and a sound investment of time?

Luckily, there is a beacon of hope offered here in the form of an opinion ... ""There is no business case for it and no possible positive outcome," said John Pescatore, a National Security Agency and Secret Service veteran who leads research firm Gartner's Internet security practice."

This actually makes sense to me, as a rational and intelligent response... I can't even imagine the type of international incidents the potentially reckless type of "striking back" activity can cause!

Here it is in a nutshell folks, my personal opinion, focus on active defense if you're that advanced, but don't go on the offense... leave that up to the authorities who are legally allowed to track the bad guys.

This isn't the wild west, and remember you can't just go track down a hacker using your own hacking techniques... because then what? I can't imagine that evidence obtained by criminal means would be admissible in any court of law... right?

Be pragmatic. Be smart. Don't listen to confusing and sensational news stories driven by companies who want to make a name for themselves doing cool secret-agent work.

Cross-posted from Following the White Rabbit

Share This! |

Views:	2920
Categories:	Policy
Industries:	Information Security
Tags:	Incident Response Cyber Security Attacks Network Security hackers FUD Remediation Media Offensive Security Active Defense

Post Rating I Like this!

Comments:

Jayson Wylie This one is really disturbing and perplexing to me. I don't doubt the notion is going through upper management chains and they might see this a a valid response.

It seems some security agencies are going to offer this as a service and that's a bit sketchy to me.

What happened to the basic two wrongs don't make a right? There is ethical hacking and there is criminal activity. I feel it boils down to being authorized.

Why does an attack and vendetta approach sound better the hiring a sec firm to attack the hell out of your own systems? That makes more sense to me and it's significantly less complex.

I am struggling with some of the current trends of security and especially the detachment of typical IS and IT security bodies and thinking.

IS may better think that counter attacking is a viable action.

IT security that performs the role of threat detection and will tell you that it's not as easy to track talented attackers.

Instead, lot's of malware like worms and Trojans hitting what they can. Many compromised web servers and other nodes like commonly infected hosts on the internet source attacks.

What about all those poor souls hosting LoICs and don't know anything about that?

Security professionals be very careful in championing this approach. It's not even about waking up a bear and being hit even harder or fighting fire with fire.

It's about upholding the law and ethics and understanding the laws and how to work within them to show a model of proper behavior in the profession to show example and not provide more cause for activity that is in the very basic illegal.

I hope, in this case, the rumors are highly exaggerated.

1340887164

You Must Register or Login to Comment

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked

Latest Member Comments

"I thought this article discuss a very important issue of security.If we have well developed technology in one particular field then we ..."

Mobile Security Processes Could Be Applied t... Johnnie Nix on 05-21-2013

"ATM machine are for our convenience but if we are not careful they can compromise our safety. Discount theater tickets "

ATM Security (And Really Learning from the P... Johnnie Nix on 05-21-2013

"A expressive case study is used to explore causation in order to find underlying principles. Case studies may be prospective in which c..."

New Study Published on Mobile Malware... Caitlin Rachel on 05-21-2013

"In the social sciences and life sciences a case study or case report is a descriptive or descriptive analysis of a someone, group or ev..."

Case Study: A Cloud Security Assessment... Caitlin Rachel on 05-21-2013